@rubytech/create-maxy-code 0.1.219 → 0.1.221

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (28) hide show
  1. package/package.json +1 -1
  2. package/payload/platform/plugins/admin/PLUGIN.md +2 -3
  3. package/payload/platform/plugins/admin/hooks/archive-ingest-surface-gate.sh +1 -2
  4. package/payload/platform/plugins/admin/hooks/lib/hook-emit.sh +3 -2
  5. package/payload/platform/plugins/admin/mcp/dist/index.js +2 -2
  6. package/payload/platform/plugins/admin/mcp/dist/index.js.map +1 -1
  7. package/payload/platform/plugins/admin/skills/admin-user-management/SKILL.md +1 -1
  8. package/payload/platform/plugins/admin/skills/platform-architecture/SKILL.md +8 -1
  9. package/payload/platform/plugins/admin/skills/plugin-management/SKILL.md +2 -2
  10. package/payload/platform/plugins/docs/references/troubleshooting.md +7 -0
  11. package/payload/platform/plugins/memory/references/graph-primitives.md +2 -2
  12. package/payload/platform/scripts/check-no-esm-require.mjs +3 -0
  13. package/payload/platform/scripts/setup-account.sh +0 -15
  14. package/payload/platform/services/claude-session-manager/dist/auth-snapshot.d.ts +4 -0
  15. package/payload/platform/services/claude-session-manager/dist/auth-snapshot.d.ts.map +1 -0
  16. package/payload/platform/services/claude-session-manager/dist/auth-snapshot.js +50 -0
  17. package/payload/platform/services/claude-session-manager/dist/auth-snapshot.js.map +1 -0
  18. package/payload/platform/services/claude-session-manager/dist/http-server.d.ts.map +1 -1
  19. package/payload/platform/services/claude-session-manager/dist/http-server.js +19 -2
  20. package/payload/platform/services/claude-session-manager/dist/http-server.js.map +1 -1
  21. package/payload/platform/services/claude-session-manager/dist/pty-spawner.d.ts.map +1 -1
  22. package/payload/platform/services/claude-session-manager/dist/pty-spawner.js +26 -19
  23. package/payload/platform/services/claude-session-manager/dist/pty-spawner.js.map +1 -1
  24. package/payload/server/server.js +49 -6
  25. package/payload/platform/plugins/admin/hooks/__tests__/pre-tool-use-admin-tool-gate.test.sh +0 -109
  26. package/payload/platform/plugins/admin/hooks/__tests__/pre-tool-use-base64-guard.test.sh +0 -204
  27. package/payload/platform/plugins/admin/hooks/__tests__/pre-tool-use-memory-write-passthrough.test.sh +0 -118
  28. package/payload/platform/plugins/admin/hooks/pre-tool-use.sh +0 -337
@@ -1,204 +0,0 @@
1
- #!/usr/bin/env bash
2
- # Regression test for the base64 context-overflow guard.
3
- #
4
- # Covers two PreToolUse rejection paths in pre-tool-use.sh:
5
- #
6
- # 1. Bash producer guard — `tool_input.command` invoking `base64` (encode
7
- # direction) or `xxd -p` is rejected; `base64 -d|-D|--decode` is allowed.
8
- # 2. Write/Edit consumer guard — `tool_input.content` (Write) or
9
- # `tool_input.new_string` (Edit) carrying `data:<mime>;base64,<≥4096 chars>`
10
- # is rejected; small inline data URIs and plain content are allowed.
11
- #
12
- # Plus a fail-open case (malformed stdin → exit 0 silent) to pin the contract
13
- # established by the playwright-file-guard test (terminal-stdin guard + parse-
14
- # error fail-open).
15
-
16
- set -u
17
-
18
- HOOK="$(cd "$(dirname "$0")/.." && pwd)/pre-tool-use.sh"
19
- if [[ ! -x "$HOOK" ]]; then
20
- echo "FAIL: $HOOK not executable" >&2
21
- exit 1
22
- fi
23
-
24
- TMPFILES=()
25
- cleanup_test_state() {
26
- for f in "${TMPFILES[@]:-}"; do
27
- [[ -n "$f" ]] && rm -f "$f" 2>/dev/null || true
28
- done
29
- }
30
- trap cleanup_test_state EXIT
31
-
32
- PASS=0
33
- FAIL=0
34
- pass() { echo "PASS: $1"; PASS=$((PASS + 1)); }
35
- fail() { echo "FAIL: $1" >&2; FAIL=$((FAIL + 1)); }
36
-
37
- # Helper: run hook with Bash tool_input.command and assert exit code + stderr.
38
- run_bash() {
39
- local command_text="$1"; local expected_rc="$2"; local stderr_pattern="$3"; local label="$4"
40
- local input_json
41
- # Build the input JSON via python3 so command_text with quotes / specials is safe.
42
- input_json=$(python3 -c '
43
- import json, sys
44
- print(json.dumps({"hook_event_name": "PreToolUse", "tool_name": "Bash", "tool_input": {"command": sys.argv[1]}, "transcript_path": "/tmp/sess/parent.jsonl", "parent_tool_use_id": "toolu_test_subagent"}, separators=(",", ":")))
45
- ' "$command_text")
46
- local stdout_file; stdout_file=$(mktemp); TMPFILES+=("$stdout_file")
47
- local stderr_file; stderr_file=$(mktemp); TMPFILES+=("$stderr_file")
48
- printf '%s' "$input_json" | bash "$HOOK" admin >"$stdout_file" 2>"$stderr_file"
49
- local rc=$?
50
- if [[ "$rc" -ne "$expected_rc" ]]; then
51
- fail "$label: expected exit $expected_rc, got $rc. Stderr: $(cat "$stderr_file")"
52
- return
53
- fi
54
- if [[ -n "$stderr_pattern" ]] && ! grep -qE "$stderr_pattern" "$stderr_file"; then
55
- fail "$label: stderr missing pattern '$stderr_pattern'. Got: $(cat "$stderr_file")"
56
- return
57
- fi
58
- pass "$label"
59
- }
60
-
61
- # Helper: run hook with Write tool_input.content and assert exit code + stderr.
62
- run_write() {
63
- local content="$1"; local expected_rc="$2"; local stderr_pattern="$3"; local label="$4"
64
- local input_json
65
- input_json=$(python3 -c '
66
- import json, sys
67
- print(json.dumps({"hook_event_name": "PreToolUse", "tool_name": "Write", "tool_input": {"file_path": "/tmp/test.html", "content": sys.argv[1]}, "transcript_path": "/tmp/sess/parent.jsonl", "parent_tool_use_id": "toolu_test_subagent"}, separators=(",", ":")))
68
- ' "$content")
69
- local stdout_file; stdout_file=$(mktemp); TMPFILES+=("$stdout_file")
70
- local stderr_file; stderr_file=$(mktemp); TMPFILES+=("$stderr_file")
71
- printf '%s' "$input_json" | bash "$HOOK" admin >"$stdout_file" 2>"$stderr_file"
72
- local rc=$?
73
- if [[ "$rc" -ne "$expected_rc" ]]; then
74
- fail "$label: expected exit $expected_rc, got $rc. Stderr: $(cat "$stderr_file")"
75
- return
76
- fi
77
- if [[ -n "$stderr_pattern" ]] && ! grep -qE "$stderr_pattern" "$stderr_file"; then
78
- fail "$label: stderr missing pattern '$stderr_pattern'. Got: $(cat "$stderr_file")"
79
- return
80
- fi
81
- pass "$label"
82
- }
83
-
84
- # Helper: run hook with Edit tool_input.new_string and assert exit code.
85
- run_edit() {
86
- local new_string="$1"; local expected_rc="$2"; local stderr_pattern="$3"; local label="$4"
87
- local input_json
88
- input_json=$(python3 -c '
89
- import json, sys
90
- print(json.dumps({"hook_event_name": "PreToolUse", "tool_name": "Edit", "tool_input": {"file_path": "/tmp/test.html", "old_string": "OLD", "new_string": sys.argv[1]}, "transcript_path": "/tmp/sess/parent.jsonl", "parent_tool_use_id": "toolu_test_subagent"}, separators=(",", ":")))
91
- ' "$new_string")
92
- local stdout_file; stdout_file=$(mktemp); TMPFILES+=("$stdout_file")
93
- local stderr_file; stderr_file=$(mktemp); TMPFILES+=("$stderr_file")
94
- printf '%s' "$input_json" | bash "$HOOK" admin >"$stdout_file" 2>"$stderr_file"
95
- local rc=$?
96
- if [[ "$rc" -ne "$expected_rc" ]]; then
97
- fail "$label: expected exit $expected_rc, got $rc. Stderr: $(cat "$stderr_file")"
98
- return
99
- fi
100
- if [[ -n "$stderr_pattern" ]] && ! grep -qE "$stderr_pattern" "$stderr_file"; then
101
- fail "$label: stderr missing pattern '$stderr_pattern'. Got: $(cat "$stderr_file")"
102
- return
103
- fi
104
- pass "$label"
105
- }
106
-
107
- # Generate a base64-character blob >= 4096 chars (data-URI body trigger).
108
- LARGE_B64=$(python3 -c "print('A' * 5000)")
109
-
110
- # ───────── Bash producer guard ──────────────────────────────────────────────
111
- run_bash "echo hello world" 0 "" \
112
- "Test 1: bare Bash command (no base64) allowed"
113
-
114
- run_bash "ls -la" 0 "" \
115
- "Test 2: ls -la (no base64 token) allowed"
116
-
117
- run_bash "base64 /tmp/foo.png" 2 '\[pre-tool-use\] guard=base64-tool-result.*tool=Bash.*reason=base64-encoder.*action=reject' \
118
- "Test 3: 'base64 file' (encode) rejected"
119
-
120
- run_bash "cat foo.png | base64" 2 '\[pre-tool-use\] guard=base64-tool-result.*action=reject' \
121
- "Test 4: 'cat | base64' (encode pipeline) rejected"
122
-
123
- run_bash "cat foo.png|base64 -w0" 2 '\[pre-tool-use\] guard=base64-tool-result.*action=reject' \
124
- "Test 5: 'base64 -w0' (encode with line-wrap flag) rejected"
125
-
126
- run_bash "xxd -p file.bin" 2 '\[pre-tool-use\] guard=base64-tool-result.*reason=xxd-plain-hex.*action=reject' \
127
- "Test 6: 'xxd -p' (plain hex encode) rejected"
128
-
129
- run_bash "base64 -d input.b64 > output.bin" 0 "" \
130
- "Test 7: 'base64 -d' (decode direction) allowed"
131
-
132
- run_bash "base64 --decode < x.b64 > y.bin" 0 "" \
133
- "Test 8: 'base64 --decode' (decode long-form) allowed"
134
-
135
- run_bash "echo Zm9v | base64 -d" 0 "" \
136
- "Test 9: 'base64 -d' decode pipeline allowed"
137
-
138
- run_bash "echo '--debug-base64-foo'" 0 "" \
139
- "Test 10: 'base64' substring inside flag name does NOT false-match"
140
-
141
- run_bash "ls mybase64tool" 0 "" \
142
- "Test 11: 'base64' substring inside identifier does NOT false-match"
143
-
144
- run_bash "cat in.b64 | base64 -d > /tmp/foo.bin; cat /tmp/bar.png | base64" 2 '\[pre-tool-use\] guard=base64-tool-result.*reason=base64-encoder.*action=reject' \
145
- "Test 11b: compound (decode ; encode) rejects encoder segment (per-segment scan)"
146
-
147
- run_bash "echo data | base64 -d > x.bin && cat y.png | base64 > y.b64" 2 '\[pre-tool-use\] guard=base64-tool-result.*action=reject' \
148
- "Test 11c: compound (decode && encode) rejects encoder segment"
149
-
150
- run_bash "base64 -d in.b64 > out.bin; base64 -d in2.b64 > out2.bin" 0 "" \
151
- "Test 11d: compound (decode ; decode) allowed"
152
-
153
- # ───────── Write/Edit consumer guard ────────────────────────────────────────
154
- run_write "<html><body>hello world</body></html>" 0 "" \
155
- "Test 12: Write small HTML content (no data URI) allowed"
156
-
157
- run_write "<img src='data:image/png;base64,AAAA'>" 0 "" \
158
- "Test 13: Write content with small inline data URI (<4096 chars) allowed"
159
-
160
- run_write "<img src='data:image/png;base64,${LARGE_B64}'>" 2 '\[pre-tool-use\] guard=base64-write-content.*action=reject' \
161
- "Test 14: Write content with large inline data URI (>4096 chars) rejected"
162
-
163
- run_edit "<img src='data:image/png;base64,${LARGE_B64}'>" 2 '\[pre-tool-use\] guard=base64-write-content.*action=reject' \
164
- "Test 15: Edit new_string with large inline data URI rejected"
165
-
166
- run_edit "<p>just text replacement</p>" 0 "" \
167
- "Test 16: Edit new_string with plain text allowed"
168
-
169
- # ───────── Fail-open / structural ───────────────────────────────────────────
170
- STDOUT_FILE=$(mktemp); STDERR_FILE=$(mktemp); TMPFILES+=("$STDOUT_FILE" "$STDERR_FILE")
171
- printf '%s' 'not json at all { ' | bash "$HOOK" admin >"$STDOUT_FILE" 2>"$STDERR_FILE"
172
- RC=$?
173
- if [[ "$RC" -ne 0 ]]; then
174
- fail "Test 17: malformed stdin should fail open (exit 0), got $RC. Stderr: $(cat "$STDERR_FILE")"
175
- else
176
- pass "Test 17: malformed stdin → silent passthrough (fail-open)"
177
- fi
178
-
179
- # Terminal-stdin guard preserved (no -t 0 test runs in test harness; assert
180
- # the guard line exists in source).
181
- if ! grep -q '\[ -t 0 \]' "$HOOK"; then
182
- fail "Test 18: terminal stdin guard missing from hook source"
183
- else
184
- pass "Test 18: terminal stdin guard present in source"
185
- fi
186
-
187
- # Pre-existing guards still active — entitlement file edit still rejected.
188
- ENT_JSON=$(python3 -c 'import json; print(json.dumps({"hook_event_name":"PreToolUse","tool_name":"Write","tool_input":{"file_path":"/srv/entitlement.json","content":"{\"tier\":\"max\"}"},"transcript_path":"/tmp/sess/parent.jsonl","parent_tool_use_id":"toolu_test_subagent"}, separators=(",", ":")))')
189
- STDOUT_FILE=$(mktemp); STDERR_FILE=$(mktemp); TMPFILES+=("$STDOUT_FILE" "$STDERR_FILE")
190
- printf '%s' "$ENT_JSON" | bash "$HOOK" admin >"$STDOUT_FILE" 2>"$STDERR_FILE"
191
- RC=$?
192
- if [[ "$RC" -ne 2 ]]; then
193
- fail "Test 19: pre-existing entitlement guard regressed (expected exit 2, got $RC)"
194
- else
195
- pass "Test 19: pre-existing entitlement guard still rejects entitlement.json"
196
- fi
197
-
198
- echo
199
- echo "──────── pre-tool-use base64 guard test summary ────────"
200
- echo "PASS: $PASS"
201
- echo "FAIL: $FAIL"
202
-
203
- [[ "$FAIL" -gt 0 ]] && exit 1
204
- exit 0
@@ -1,118 +0,0 @@
1
- #!/usr/bin/env bash
2
- # Task 225 — passthrough regression test for memory-write / memory-update
3
- # under the admin agent's pre-tool-use.sh.
4
- #
5
- # The Task 213→222 chain previously gated both writers at the top of the
6
- # admin branch with an exit-2 block (admin direct) and an exit-0 allow
7
- # (Task-subagent). Task 225 reversed the doctrine: admin holds the
8
- # writers in its own surface and the case-block was deleted. This test
9
- # pins the new behaviour so a future re-introduction of the block
10
- # cannot land silently.
11
- #
12
- # Five cases:
13
- # 1. mcp__plugin_memory_memory__memory-write admin-direct → exit 0, no rejection stderr
14
- # 2. mcp__plugin_memory_memory__memory-update admin-direct → exit 0, no rejection stderr
15
- # 3. mcp__plugin_memory_memory__memory-search admin-direct → exit 0, no rejection stderr (read tool control)
16
- # 4. mcp__memory__memory-write admin-direct → exit 0 (pre-209 namespace, falls through harmlessly)
17
- # 5. malformed JSON stdin → exit 0 (no crash; case-block removal does not break fall-through)
18
-
19
- set -u
20
-
21
- HOOK="$(cd "$(dirname "$0")/.." && pwd)/pre-tool-use.sh"
22
- if [[ ! -x "$HOOK" ]]; then
23
- echo "FAIL: $HOOK not executable" >&2
24
- exit 1
25
- fi
26
-
27
- TMPFILES=()
28
- cleanup() {
29
- for f in "${TMPFILES[@]:-}"; do
30
- [[ -n "$f" ]] && rm -f "$f" 2>/dev/null || true
31
- done
32
- }
33
- trap cleanup EXIT
34
-
35
- PASS=0
36
- FAIL=0
37
- pass() { echo "PASS: $1"; PASS=$((PASS + 1)); }
38
- fail() { echo "FAIL: $1" >&2; FAIL=$((FAIL + 1)); }
39
-
40
- # Admin-direct calls land with a non-subagent transcript path. A synthetic
41
- # empty file in a temp dir is enough — the hook no longer reads the path
42
- # for the deleted writers' case-block, but other gates may still touch it.
43
- ADMIN_TRANSCRIPT=$(mktemp); TMPFILES+=("$ADMIN_TRANSCRIPT")
44
- : > "$ADMIN_TRANSCRIPT"
45
-
46
- run_with_tool() {
47
- local tool="$1"
48
- local sid="$2"
49
- local transcript_path="${3:-}"
50
- local stdout_file; stdout_file=$(mktemp); TMPFILES+=("$stdout_file")
51
- local stderr_file; stderr_file=$(mktemp); TMPFILES+=("$stderr_file")
52
- python3 -c '
53
- import json, sys
54
- payload = {
55
- "hook_event_name": "PreToolUse",
56
- "session_id": sys.argv[1],
57
- "tool_name": sys.argv[2],
58
- "tool_input": {"name":"Smalleys","accountId":"acct-x","scope":"shared"},
59
- }
60
- if sys.argv[3]:
61
- payload["transcript_path"] = sys.argv[3]
62
- print(json.dumps(payload, separators=(",", ":")))
63
- ' "$sid" "$tool" "$transcript_path" | bash "$HOOK" admin >"$stdout_file" 2>"$stderr_file"
64
- HOOK_RC=$?
65
- HOOK_STDERR=$(cat "$stderr_file")
66
- }
67
-
68
- assert_passthrough() {
69
- local label="$1"
70
- if [[ "$HOOK_RC" -ne 0 ]]; then
71
- fail "${label}: expected exit 0, got $HOOK_RC stderr: $HOOK_STDERR"
72
- return
73
- fi
74
- if echo "$HOOK_STDERR" | grep -qF "does not write to the graph directly"; then
75
- fail "${label}: stderr carries deleted-block rejection message: $HOOK_STDERR"
76
- return
77
- fi
78
- pass "${label}: exit 0, no rejection stderr"
79
- }
80
-
81
- # --- 1. memory-write admin-direct passthrough ---------------------------
82
- run_with_tool "mcp__plugin_memory_memory__memory-write" "sess-write-1" "$ADMIN_TRANSCRIPT"
83
- assert_passthrough "admin-direct memory-write"
84
-
85
- # --- 2. memory-update admin-direct passthrough --------------------------
86
- run_with_tool "mcp__plugin_memory_memory__memory-update" "sess-update-1" "$ADMIN_TRANSCRIPT"
87
- assert_passthrough "admin-direct memory-update"
88
-
89
- # --- 3. memory-search admin-direct passthrough (read tool control) -----
90
- run_with_tool "mcp__plugin_memory_memory__memory-search" "sess-search-1" "$ADMIN_TRANSCRIPT"
91
- assert_passthrough "admin-direct memory-search (read tool control)"
92
-
93
- # --- 4. pre-209 namespace mcp__memory__memory-write ---------------------
94
- # The bare mcp__memory__ namespace was never in the admin runtime surface
95
- # after Task 203's plugin_ prefix rename; this case pins that it still
96
- # falls through harmlessly after the case-block removal.
97
- run_with_tool "mcp__memory__memory-write" "sess-old-ns-1" "$ADMIN_TRANSCRIPT"
98
- assert_passthrough "pre-209 namespace mcp__memory__memory-write"
99
-
100
- # --- 5. malformed JSON stdin — hook must not crash ----------------------
101
- stderr_file=$(mktemp); TMPFILES+=("$stderr_file")
102
- stdout_file=$(mktemp); TMPFILES+=("$stdout_file")
103
- echo "not-valid-json{{{" | bash "$HOOK" admin >"$stdout_file" 2>"$stderr_file"
104
- HOOK_RC=$?
105
- HOOK_STDERR=$(cat "$stderr_file")
106
- if [[ "$HOOK_RC" -ne 0 ]]; then
107
- fail "malformed payload: expected exit 0, got $HOOK_RC stderr: $HOOK_STDERR"
108
- elif echo "$HOOK_STDERR" | grep -qF "does not write to the graph directly"; then
109
- fail "malformed payload: stderr carries deleted-block rejection message: $HOOK_STDERR"
110
- else
111
- pass "malformed payload: exit 0, hook does not crash"
112
- fi
113
-
114
- # --- Summary -----------------------------------------------------------
115
- echo "---"
116
- echo "PASSED: $PASS FAILED: $FAIL"
117
- [[ "$FAIL" -eq 0 ]] || exit 1
118
- exit 0
@@ -1,337 +0,0 @@
1
- #!/usr/bin/env bash
2
- # PreToolUse hook — enforces agent tool boundaries and approval gating.
3
- # Usage: pre-tool-use.sh <agent-type>
4
- # Receives tool call JSON on stdin (from Claude Code hook protocol).
5
- # Exit 0 = allow, exit 2 = block.
6
-
7
- set -uo pipefail
8
-
9
- AGENT_TYPE="${1:-public}"
10
-
11
- # Source the propagation emitter (Task 560). The library is fail-open;
12
- # any error path inside it logs to server.log and returns 0, so sourcing
13
- # never blocks the hook's primary allow/block contract.
14
- HOOKS_LIB_DIR="$(cd "$(dirname "$0")" 2>/dev/null && pwd)/lib"
15
- # shellcheck disable=SC1091
16
- [ -f "$HOOKS_LIB_DIR/hook-emit.sh" ] && source "$HOOKS_LIB_DIR/hook-emit.sh"
17
-
18
- # Read stdin — fail closed if unavailable
19
- if [ -t 0 ]; then
20
- # No INPUT yet; propagate with agentId=unknown so the regression is visible.
21
- if declare -F hook_emit_decision >/dev/null 2>&1; then
22
- hook_emit_decision "unknown" "admin-tool-gate" "?" "block" \
23
- "stdin-missing" "Blocked: Cannot determine tool call (no stdin). Failing closed." 2 0
24
- fi
25
- echo "Blocked: Cannot determine tool call (no stdin). Failing closed." >&2
26
- exit 2
27
- fi
28
- INPUT=$(cat)
29
- TOOL_NAME=$(echo "$INPUT" | grep -o '"tool_name":"[^"]*"' | head -1 | cut -d'"' -f4)
30
-
31
- # Session id for propagation. Empty / parse-failure routes to "unknown" —
32
- # the propagator emits the record under agentId=unknown rather than dropping.
33
- SESSION_ID=$(printf '%s' "$INPUT" | python3 -c '
34
- import sys, json
35
- try:
36
- print(json.load(sys.stdin).get("session_id", "") or "unknown")
37
- except Exception:
38
- print("unknown")
39
- ' 2>/dev/null || echo "unknown")
40
-
41
- # ---------------------------------------------------------------------------
42
- # Admin agent — code directory protection + approval gating
43
- # ---------------------------------------------------------------------------
44
- if [ "$AGENT_TYPE" = "admin" ]; then
45
-
46
- # ── Code directory protection ────────────────────────────────────────────
47
- case "$TOOL_NAME" in
48
- Write|Edit)
49
- FILE_PATH=$(echo "$INPUT" | grep -o '"file_path":"[^"]*"' | head -1 | cut -d'"' -f4)
50
- case "$FILE_PATH" in
51
- # Platform UI source (platform/ui/) — source lives here, not on device
52
- */platform/ui/app/*|*/platform/ui/lib/*|*/platform/ui/*.ts|*/platform/ui/*.tsx|*/platform/ui/*.mjs)
53
- hook_block_with_emit "$SESSION_ID" "admin-tool-gate" "${TOOL_NAME}" \
54
- "code-dir-protection-ui" \
55
- "Blocked: Admin agent cannot modify platform UI source at $FILE_PATH"
56
- ;;
57
- # Compiled MCP servers, hooks, and scripts — what actually ships to device
58
- */platform/plugins/*/mcp/dist/*|*/platform/plugins/*/hooks/*|*/platform/scripts/*)
59
- hook_block_with_emit "$SESSION_ID" "admin-tool-gate" "${TOOL_NAME}" \
60
- "code-dir-protection-platform" \
61
- "Blocked: Admin agent cannot modify platform code at $FILE_PATH"
62
- ;;
63
- # Entitlement library — verifier source, compiled output, vendored
64
- # pubkey, hash file, and any signed entitlement.json. Tampering here is the
65
- # agent path to revenue bypass; the legitimate write path is the Rubytech
66
- # issuance endpoint, never the agent's filesystem.
67
- # Patterns intentionally cover both absolute (*/...) and relative
68
- # (no leading slash) paths so an agent can't bypass via cwd-relative writes.
69
- */platform/lib/entitlement/*|platform/lib/entitlement/*|*/entitlement.json|entitlement.json)
70
- echo "[entitlement] tool-deny: tool=${TOOL_NAME} path=${FILE_PATH} field=entitlement-file" >&2
71
- hook_block_with_emit "$SESSION_ID" "admin-tool-gate" "${TOOL_NAME}" \
72
- "entitlement-file" \
73
- "Blocked: Admin agent cannot modify entitlement files at $FILE_PATH. Effective tier and purchasedPlugins derive from a Rubytech-signed payload."
74
- ;;
75
- # account.json — agent must use the account-update
76
- # MCP tool (or plugin-toggle-enabled for enabledPlugins changes), which
77
- # whitelists editable fields server-side. Direct Edit/Write bypasses
78
- # that whitelist; deny unconditionally including cwd-relative paths.
79
- # adds */account.json and *account.json as a backstop so any
80
- # layout the named patterns miss is still caught — the Adam Mackay
81
- # incident showed a tier upgrade via raw Edit on account.json reach
82
- # the disk, exactly the failure mode this hook exists to prevent.
83
- */data/accounts/*/account.json|*/config/accounts/*/account.json|data/accounts/*/account.json|config/accounts/*/account.json|*/account.json|*account.json|account.json)
84
- echo "[entitlement] tool-deny: tool=${TOOL_NAME} path=${FILE_PATH} field=account-json" >&2
85
- hook_block_with_emit "$SESSION_ID" "admin-tool-gate" "${TOOL_NAME}" \
86
- "account-json" \
87
- "Blocked: Admin agent cannot edit account.json directly. Use the account-update or plugin-toggle-enabled MCP tools — they whitelist editable fields server-side and exclude tier and purchasedPlugins by design."
88
- ;;
89
- # Pending action queue — only the hook and MCP tools may write here
90
- */pending-actions/*)
91
- hook_block_with_emit "$SESSION_ID" "admin-tool-gate" "${TOOL_NAME}" \
92
- "pending-actions" \
93
- "Blocked: Admin agent cannot modify pending action files directly"
94
- ;;
95
- esac
96
- ;;
97
- Bash)
98
- # Block shell commands referencing protected code directories or pending actions
99
- case "$INPUT" in
100
- *"platform/ui/app/"*|*"platform/ui/lib/"*|*"platform/plugins/"*"hooks/"*|*"platform/scripts/"*)
101
- hook_block_with_emit "$SESSION_ID" "admin-tool-gate" "Bash" \
102
- "code-dir-protection-bash" \
103
- "Blocked: Admin agent cannot run shell commands against code directories"
104
- ;;
105
- # Entitlement files via shell — same surface, blocked symmetrically
106
- *"platform/lib/entitlement/"*|*"entitlement.json"*)
107
- echo "[entitlement] tool-deny: tool=Bash path=entitlement-file field=entitlement-file" >&2
108
- hook_block_with_emit "$SESSION_ID" "admin-tool-gate" "Bash" \
109
- "entitlement-shell" \
110
- "Blocked: Admin agent cannot reference entitlement files via shell."
111
- ;;
112
- # account.json via shell — same rationale as Edit/Write block
113
- *"data/accounts/"*"account.json"*|*"config/accounts/"*"account.json"*)
114
- echo "[entitlement] tool-deny: tool=Bash path=account-json field=account-json" >&2
115
- hook_block_with_emit "$SESSION_ID" "admin-tool-gate" "Bash" \
116
- "account-json-shell" \
117
- "Blocked: Admin agent cannot edit account.json via shell. Use the account-update MCP tool."
118
- ;;
119
- *"pending-actions/"*)
120
- hook_block_with_emit "$SESSION_ID" "admin-tool-gate" "Bash" \
121
- "pending-actions-shell" \
122
- "Blocked: Admin agent cannot modify pending action files via shell"
123
- ;;
124
- esac
125
- ;;
126
- esac
127
-
128
- # ── Base64 context-overflow guard ─────────────────────────────
129
- # Block inline base64 payloads from reaching the model context. Two paths:
130
- #
131
- # 1. Bash command that ENCODES a binary file to base64/hex (the producer).
132
- # 2. Write/Edit content carrying an inline `data:<mime>;base64,…` blob
133
- # (the consumer — agent quoting bytes from a prior tool_result into a
134
- # HTML/markdown Write).
135
- #
136
- # Either path landed ~33 KB of base64 in the SDK request and the next turn
137
- # tripped `main_stream_stalled` at 180 s. The
138
- # remediation is symmetric: the agent saves bytes to `$ACCOUNT_DIR/tmp/<sha1>.<ext>`
139
- # and references the path (`<img src="./file">` or Read-by-path) instead of
140
- # carrying bytes through the assistant turn.
141
- #
142
- # Parsing uses python3 (already a hook dependency at the action-id site
143
- # below); grep on JSON is unsafe for content with escaped quotes or
144
- # embedded newlines. Parse failure is fail-open (empty extracted string,
145
- # no match, allow) — matches the playwright-file-guard fail-open contract.
146
- # Single python3 invocation parses the JSON, runs the tool-specific
147
- # regex match (avoiding BSD-vs-GNU grep interval-count incompatibilities —
148
- # `grep -E '{4096,}'` errors with "invalid repetition count(s)" on macOS
149
- # BSD grep under some pattern combinations), and prints the rejection
150
- # outcome to stdout as `REJECT:<reason>:<bytes>` or `ALLOW`. The wrapping
151
- # bash logic reads the verdict and emits the rejection log/stderr/exit-2.
152
- # Parse failure prints `ALLOW` (fail-open, matching the playwright-file-
153
- # guard contract for malformed stdin).
154
- GUARD_VERDICT=$(echo "$INPUT" | python3 -c '
155
- import sys, json, re
156
- try:
157
- d = json.load(sys.stdin)
158
- tool = d.get("tool_name", "")
159
- ti = d.get("tool_input", {}) or {}
160
- if tool in ("Write", "Edit"):
161
- # Write.content OR Edit.new_string can carry inline base64.
162
- content = ti.get("content") or ti.get("new_string") or ""
163
- if not isinstance(content, str):
164
- print("ALLOW"); sys.exit(0)
165
- # data:<mime>;base64,<≥4096 base64 chars> — threshold matches the
166
- # doctrine paragraph in .docs/agents.md. The 4096-char body is
167
- # ~3 KB binary, far above any legitimate inline icon.
168
- m = re.search(r"data:[^;]+;base64,[A-Za-z0-9+/]{4096,}={0,2}", content)
169
- if m:
170
- print(f"REJECT:base64-write-content:{len(content)}")
171
- else:
172
- print("ALLOW")
173
- elif tool == "Bash":
174
- command = ti.get("command", "")
175
- if not isinstance(command, str):
176
- print("ALLOW"); sys.exit(0)
177
- # Per-segment scan. A compound command like
178
- # cat in.b64 | base64 -d > out.bin; cat photo.png | base64
179
- # contains both a legitimate decode AND a malicious encoder. A whole-
180
- # command decode-flag check is fooled into allowing the encoder. Split
181
- # on shell separators (;, &&, ||, &) and scan each segment as its own
182
- # command — the encoder rejection fires when ANY segment is a bare
183
- # base64 invocation without a paired decode flag in the SAME segment.
184
- # Pipelines (|) keep the segment together because the encoder direction
185
- # of `cat file | base64` lives across the pipe.
186
- segments = re.split(r";|&&|\|\||(?<![|&])&(?![|&])", command)
187
- rejected = None
188
- for seg in segments:
189
- if re.search(r"(?:^|[\s|;&])xxd[\t ]+-p(?![A-Za-z0-9_-])", seg):
190
- rejected = "xxd-plain-hex"; break
191
- if re.search(r"(?:^|[\s|;&])base64(?![A-Za-z0-9_-])", seg):
192
- if not re.search(r"base64[\t ]+[^|]*(?:-d|-D|--decode)(?![A-Za-z0-9_])", seg):
193
- rejected = "base64-encoder"; break
194
- if rejected:
195
- print(f"REJECT:{rejected}:{len(command)}")
196
- else:
197
- print("ALLOW")
198
- else:
199
- print("ALLOW")
200
- except Exception:
201
- print("ALLOW")
202
- ' 2>/dev/null || echo "ALLOW")
203
- case "$GUARD_VERDICT" in
204
- REJECT:base64-write-content:*)
205
- BYTES="${GUARD_VERDICT##*:}"
206
- echo "[pre-tool-use] guard=base64-write-content bytes=${BYTES} action=reject" >&2
207
- hook_block_with_emit "$SESSION_ID" "base64-guard" "${TOOL_NAME}" \
208
- "base64-write-content" \
209
- "Blocked: ${TOOL_NAME} content carries an inline base64 payload (>4 KB encoded). Inline binary in Write.content overloads the model context — the same path produced a main_stream_stalled at ~33 KB on 2026-05-09.
210
- Save the bytes to \$ACCOUNT_DIR/tmp/<sha1>.<ext> via Bash (e.g. 'base64 -d > out.png'), then reference the file from the document: <img src=\"./<file>\"> or Read-by-path. Do not carry binary bytes through the assistant turn."
211
- ;;
212
- REJECT:base64-encoder:*|REJECT:xxd-plain-hex:*)
213
- REASON="${GUARD_VERDICT#REJECT:}"; REASON="${REASON%:*}"
214
- BYTES="${GUARD_VERDICT##*:}"
215
- echo "[pre-tool-use] guard=base64-tool-result bytes=${BYTES} tool=Bash reason=${REASON} action=reject" >&2
216
- hook_block_with_emit "$SESSION_ID" "base64-guard" "Bash" \
217
- "$REASON" \
218
- "Blocked: Bash command would emit binary as inline base64/hex to stdout, which lands in the assistant turn and overloads the model context (the 2026-05-09 Rubytech-invoice path hit 66% context after a single ~33 KB tool_result).
219
- Instead: save the bytes directly to \$ACCOUNT_DIR/tmp/<sha1>.<ext> and operate on the file via path — Read for inspection, <img src=\"./<file>\"> for HTML embedding, the \`file-presentation\` skill for delivery. Decoding base64 (e.g. 'base64 -d in.b64 > out.bin') is allowed."
220
- ;;
221
- *)
222
- : # ALLOW — fall through to approval gating below
223
- ;;
224
- esac
225
-
226
- # ── Approval gating (EU AI Act Article 14 — human oversight) ─────────────
227
- # Strip the mcp__<plugin>__ prefix to get the short tool name.
228
- # Built-in tools (no prefix) pass through unchanged.
229
- SHORT_NAME=$(echo "$TOOL_NAME" | sed 's/^mcp__[^_]*__//')
230
-
231
- # Derive platform root from this hook's location:
232
- # platform/plugins/admin/hooks/pre-tool-use.sh → platform/
233
- HOOK_DIR="$(cd "$(dirname "$0")" 2>/dev/null && pwd)"
234
- PLATFORM_ROOT="${HOOK_DIR}/../../.."
235
-
236
- # Resolve the single account directory (Phase 0).
237
- ACCOUNTS_DIR="${PLATFORM_ROOT}/../data/accounts"
238
- ACCOUNT_DIR=""
239
- if [ -d "$ACCOUNTS_DIR" ]; then
240
- ACCOUNT_DIR=$(find "$ACCOUNTS_DIR" -mindepth 1 -maxdepth 1 -type d 2>/dev/null | head -1)
241
- fi
242
-
243
- # Default require-review tools — matches DEFAULT_REQUIRE_REVIEW in claude-agent.ts
244
- DEFAULT_REQUIRE_REVIEW="email-send email-reply whatsapp-send whatsapp-send-document message contact-erase"
245
-
246
- # Check if this tool requires approval review.
247
- # 1. Read per-account override from account.json approvalPolicy (if it exists)
248
- # 2. Fall back to the default require-review list
249
- POLICY=""
250
- if [ -n "$ACCOUNT_DIR" ] && [ -f "${ACCOUNT_DIR}/account.json" ]; then
251
- # Check per-account override first (grep for the tool name in the approvalPolicy block)
252
- OVERRIDE=$(grep -o "\"${SHORT_NAME}\"[[:space:]]*:[[:space:]]*\"[^\"]*\"" "${ACCOUNT_DIR}/account.json" 2>/dev/null | head -1 | grep -o '"[^"]*"$' | tr -d '"')
253
- if [ -n "$OVERRIDE" ]; then
254
- POLICY="$OVERRIDE"
255
- fi
256
- fi
257
-
258
- # If no per-account override, check the default list
259
- if [ -z "$POLICY" ]; then
260
- for TOOL in $DEFAULT_REQUIRE_REVIEW; do
261
- if [ "$SHORT_NAME" = "$TOOL" ]; then
262
- POLICY="require-review"
263
- break
264
- fi
265
- done
266
- fi
267
-
268
- # If not in any policy, auto-execute (allow)
269
- if [ "$POLICY" != "require-review" ]; then
270
- exit 0
271
- fi
272
-
273
- # ── Special case: contact-erase preview calls pass through ───────────────
274
- # The contact-erase tool has a two-step flow: first call with confirm:false
275
- # returns a preview (data counts), second call with confirm:true executes.
276
- # Only gate the destructive confirm:true call.
277
- if [ "$SHORT_NAME" = "contact-erase" ]; then
278
- if ! echo "$INPUT" | grep -q '"confirm"[[:space:]]*:[[:space:]]*true'; then
279
- exit 0
280
- fi
281
- fi
282
-
283
- # ── Queue the action for approval ───────────────────────────────────────
284
- PENDING_DIR="${ACCOUNT_DIR}/pending-actions"
285
- mkdir -p "$PENDING_DIR" 2>/dev/null
286
-
287
- ACTION_ID="$(cat /proc/sys/kernel/random/uuid 2>/dev/null || python3 -c 'import uuid; print(uuid.uuid4())' 2>/dev/null || date +%s%N)"
288
- CREATED_AT="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
289
-
290
- # Write atomically: temp file + mv
291
- TEMP=$(mktemp "${PENDING_DIR}/.tmp.XXXXXX" 2>/dev/null)
292
- if [ -z "$TEMP" ]; then
293
- hook_block_with_emit "$SESSION_ID" "approval-gate" "${TOOL_NAME}" \
294
- "approval-queue-mktemp" \
295
- "Blocked: Action requires approval but failed to create queue file (disk error). Failing closed."
296
- fi
297
-
298
- # The pending action file contains the full hook JSON (tool_name + tool_input)
299
- # plus metadata. The MCP approval tools parse it with Node.js JSON.parse.
300
- cat > "$TEMP" <<ENDJSON
301
- {
302
- "actionId": "${ACTION_ID}",
303
- "toolName": "${SHORT_NAME}",
304
- "pluginName": "$(echo "$TOOL_NAME" | sed -n 's/^mcp__\([^_]*\)__.*/\1/p')",
305
- "hookPayload": ${INPUT},
306
- "state": "pending",
307
- "createdAt": "${CREATED_AT}"
308
- }
309
- ENDJSON
310
-
311
- if ! mv "$TEMP" "${PENDING_DIR}/${ACTION_ID}.json" 2>/dev/null; then
312
- rm -f "$TEMP" 2>/dev/null
313
- hook_block_with_emit "$SESSION_ID" "approval-gate" "${TOOL_NAME}" \
314
- "approval-queue-mv" \
315
- "Blocked: Action requires approval but failed to queue (filesystem error). Failing closed."
316
- fi
317
-
318
- # Record the queued-for-approval block in the propagation buffer; the
319
- # readable summary still goes to stdout (CC attaches it as the agent's
320
- # tool_result). hook_emit_decision is the no-exit variant — the
321
- # subsequent echoes + exit 2 below remain the operator-facing surface.
322
- hook_emit_decision "$SESSION_ID" "approval-gate" "${TOOL_NAME}" \
323
- "block" "approval-queued" \
324
- "Action ${ACTION_ID} queued for review" 2 0
325
-
326
- # Extract a readable summary of the action for the agent to present
327
- # tool_input is the second JSON value in the hook payload
328
- echo "Action requires approval before execution."
329
- echo ""
330
- echo "Action ID: ${ACTION_ID}"
331
- echo "Tool: ${SHORT_NAME}"
332
- echo "Status: Queued for review"
333
- echo ""
334
- echo "The admin must approve this action before it can execute."
335
- echo "Use action-approve to send, action-reject to cancel, or action-edit to modify."
336
- exit 2
337
- fi